Ransomware meets Linux - on the command line!

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Ransomware meets Linux - on the command line!

Lisi Reisz
https://www.sophos.com/en-us/support/knowledgebase/118624.aspx
Comments. please - I'm not sure how to evaluate this or how to react.
Thanks,
Lisi

Reply | Threaded
Open this post in threaded view
|

Re: Ransomware meets Linux - on the command line!

Stuart Longland-3
On 12/11/15 08:24, Lisi Reisz wrote:
> https://www.sophos.com/en-us/support/knowledgebase/118624.aspx
> Comments. please - I'm not sure how to evaluate this or how to react.

I don't see any mention of ransomware threats on that page.

--
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.


signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Ransomware meets Linux - on the command line!

Lisi Reisz
On Thursday 12 November 2015 01:32:21 Stuart Longland wrote:
> On 12/11/15 08:24, Lisi Reisz wrote:
> > https://www.sophos.com/en-us/support/knowledgebase/118624.aspx
> > Comments. please - I'm not sure how to evaluate this or how to react.
>
> I don't see any mention of ransomware threats on that page.

Wrong page - sorry.  It is clearly time I was in bed!
https://nakedsecurity.sophos.com/2015/11/11/ransomware-meets-linux-on-the-command-line/
Lisi

Reply | Threaded
Open this post in threaded view
|

Re: Ransomware meets Linux - on the command line!

Cindy Sue Causey
On 11/11/15, Lisi Reisz <[hidden email]> wrote:
> On Thursday 12 November 2015 01:32:21 Stuart Longland wrote:
>> On 12/11/15 08:24, Lisi Reisz wrote:
>> > https://www.sophos.com/en-us/support/knowledgebase/118624.aspx
>> > Comments. please - I'm not sure how to evaluate this or how to react.
>>
>> I don't see any mention of ransomware threats on that page.
>
> Wrong page - sorry.  It is clearly time I was in bed!
> https://nakedsecurity.sophos.com/2015/11/11/ransomware-meets-linux-on-the-command-line/


When it didn't work for me, I just figured it was one of those links
that self-destructs or something when it's passed between users. There
are some dynamically designed sites (for lack of better terminology)
that nothing you do preserves a link for sharing. You end up having to
give instructions on how to replicate a search instead of providing
the link. :)

It sounds not so good to me when it comes to having new, VULNERABLE
users in mind. Well, or even old, tired ones who aren't thinking so
quick on their feet (speaking firsthand, grin).

Is this something that should be shared over at Debian-Security? This
is my head nodding over in your direction, Lisi, since you found it.
:)

https://lists.debian.org/debian-security/

I'm seeing words like "not moderated" and "posting is allowed by
anyone" in that list's description.

I'm naturally *a-suming* that they probably already know, but you
never know if they do. It sounds like something that Linux derivatives
need to yell from the rooftops to protect their more vulnerable users
(rather than keeping quiet and pretending it doesn't exist or
something).

I wonder about nudging Debian-Publicity, too, so they can see what
angle they might could possibly consider regarding the topic. Their
information target could be to help users stay alert and proactive in
avoiding this.... garbage. Same-same goes for that list: "This list is
not moderated; posting is allowed by anyone."

https://lists.debian.org/debian-publicity/

For fun, I checked my inbox for any references to the ransomware.
There are ZERO references in what's probably at least 150,000 emails
or more. For that reason, I'm adding the name here: Ransm-C and
Linux/Ransm-C so this thread becomes searchable for it. :)

In the end, all the above is just.... my occasionally usual
not-so-humble (and yes, rambling) Opinion... :)

Cindy :)

--
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* runs with plastic sporks *

Reply | Threaded
Open this post in threaded view
|

Re: Ransomware meets Linux - on the command line!

Cindy Sue Causey
On 11/11/15, Cindy-Sue Causey <[hidden email]> wrote:
>
> For fun, I checked my inbox for any references to the ransomware.
> There are ZERO references in what's probably at least 150,000 emails
> or more. For that reason, I'm adding the name here: Ransm-C and
> Linux/Ransm-C so this thread becomes searchable for it. :)


After I "hung up the cyber phone" aka sent that last email, I searched
my inbox for the word "ransomware". *smacking my head* for not
thinking to do so originally. Brian Krebs of Krebs On Security had
something on ransomware and Linux, just not labeled Ransm-C or
anything:

http://krebsonsecurity.com/2015/11/ransomware-now-gunning-for-your-web-sites/

IF I'm understanding correctly, he appears to have updated that
article with a *potential* way to beat it via a *potential*
vulnerability.... at least until the perpetrators upgrade their own
tactics, anyway.

I like what Brian's been doing. I can cognitively understand a LOT of
what he writes about. He's caught SlashDot's eye a time or two, too.

Adding another keyword here, Linux.Decoder.1, which Brian says was a
name dubbed by "Russian antivirus and security firm Dr.Web". It may or
may not be the same as the other, but sounds like it works
similar'ISH.

Next stop is to pop over to a group called BlindWebbers. I'd seen
Brian's email subject line earlier and thought instantly of them, just
didn't get around to opening it then. The guy in Brian's article makes
it sound like it's a little time consuming and still has incidental
glitches afterwards.

That's presumably coming from someone with no visual disabilities. The
difficulty level of getting one's website back would understandably
rise relative to one's ability or lack thereof to actually see what's
going on within the file hierarchy..... AND apparently each single
file that reportedly stands to potentially gather random bits AFTER
the files have been decrypted.

Just thinking out loud...

Cindy

--
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* runs with plastic sporks *

Reply | Threaded
Open this post in threaded view
|

Re: Ransomware meets Linux - on the command line!

Joel Rees-3
In reply to this post by Lisi Reisz

W-e-e-e-ll-ll-ll, ...........

2015/11/12 10:47 "Lisi Reisz" <[hidden email]>:
>
> On Thursday 12 November 2015 01:32:21 Stuart Longland wrote:
> > On 12/11/15 08:24, Lisi Reisz wrote:
> > > https://www.sophos.com/en-us/support/knowledgebase/118624.aspx
> > > Comments. please - I'm not sure how to evaluate this or how to react.
> >
> > I don't see any mention of ransomware threats on that page.
>
> Wrong page - sorry.  It is clearly time I was in bed!
> https://nakedsecurity.sophos.com/2015/11/11/ransomware-meets-linux-on-the-command-line/
> Lisi

... and Sophos is a manufacturer of ...

drumroll please

... antivirus software for Linux and Unix.

Surprised?

Anyway, this is just basically old news. It's representative of the primary reasons we care about permissions. And backups, too.

(And it's part of the industry undercurrent of the technical fooferah that came to a head here this past spring, but, whatever.)

If the Sophos articles help people recognize that protecting their data is important, that's all good.

And if they sell a few (thousand) more copies of their antivirus in the process, who's to grudge it them?

Right?

(And just in case I seem to be sarcastic, I am not sure how sarcastic I am here. The world is not as simple as it used to be.)

--
Joel Rees

Computer memory is just fancy paper,
CPUs just fancy pens.
All is a stream of text
flowing from the past into the future.

Reply | Threaded
Open this post in threaded view
|

Re: Ransomware meets Linux - on the command line!

Ralph Katz
In reply to this post by Cindy Sue Causey
On 11/11/2015 10:24 PM, Cindy-Sue Causey wrote:

[...]

> Brian Krebs of Krebs On Security had
> something on ransomware and Linux, just not labeled Ransm-C or
> anything:
>
> http://krebsonsecurity.com/2015/11/ransomware-now-gunning-for-your-web-sites/
>
> IF I'm understanding correctly, he appears to have updated that
> article with a *potential* way to beat it via a *potential*
> vulnerability.... at least until the perpetrators upgrade their own
> tactics, anyway.
>
> I like what Brian's been doing. I can cognitively understand a LOT of
> what he writes about. He's caught SlashDot's eye a time or two, too.
>
> Adding another keyword here, Linux.Decoder.1, which Brian says was a
> name dubbed by "Russian antivirus and security firm Dr.Web". It may or
> may not be the same as the other, but sounds like it works
> similar'ISH.
>
> Next stop is to pop over to a group called BlindWebbers. I'd seen
> Brian's email subject line earlier and thought instantly of them, just
> didn't get around to opening it then. The guy in Brian's article makes
> it sound like it's a little time consuming and still has incidental
> glitches afterwards.
>
> That's presumably coming from someone with no visual disabilities. The
> difficulty level of getting one's website back would understandably
> rise relative to one's ability or lack thereof to actually see what's
> going on within the file hierarchy..... AND apparently each single
> file that reportedly stands to potentially gather random bits AFTER
> the files have been decrypted.
As a user, I too, find Krebs informative.  Also notable was this recent
Washington Post article about Linus Torvalds and Linux security:

http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/

"Fast, flexible and free, Linux is taking over the online world. But
there is growing unease about security weaknesses."

Regards,
Ralph




signature.asc (546 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Ransomware meets Linux - on the command line!

Piyavkin
On 12.11.2015 21:14, Ralph Katz wrote:

> On 11/11/2015 10:24 PM, Cindy-Sue Causey wrote:
>
> [...]
>
>> Brian Krebs of Krebs On Security had
>> something on ransomware and Linux, just not labeled Ransm-C or
>> anything:
>>
>> http://krebsonsecurity.com/2015/11/ransomware-now-gunning-for-your-web-sites/
>>
>> IF I'm understanding correctly, he appears to have updated that
>> article with a *potential* way to beat it via a *potential*
>> vulnerability.... at least until the perpetrators upgrade their own
>> tactics, anyway.
>>
>> I like what Brian's been doing. I can cognitively understand a LOT of
>> what he writes about. He's caught SlashDot's eye a time or two, too.
>>
>> Adding another keyword here, Linux.Decoder.1, which Brian says was a
>> name dubbed by "Russian antivirus and security firm Dr.Web". It may or
>> may not be the same as the other, but sounds like it works
>> similar'ISH.
>>
>> Next stop is to pop over to a group called BlindWebbers. I'd seen
>> Brian's email subject line earlier and thought instantly of them, just
>> didn't get around to opening it then. The guy in Brian's article makes
>> it sound like it's a little time consuming and still has incidental
>> glitches afterwards.
>>
>> That's presumably coming from someone with no visual disabilities. The
>> difficulty level of getting one's website back would understandably
>> rise relative to one's ability or lack thereof to actually see what's
>> going on within the file hierarchy..... AND apparently each single
>> file that reportedly stands to potentially gather random bits AFTER
>> the files have been decrypted.
> As a user, I too, find Krebs informative.  Also notable was this recent
> Washington Post article about Linus Torvalds and Linux security:
>
> http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/
>
> "Fast, flexible and free, Linux is taking over the online world. But
> there is growing unease about security weaknesses."
>
> Regards,
> Ralph
>
The ransomware articles from the security companies are pure marketing
efforts to develop customer's «pain» and to exploit it. There is nothing
new in the scheme «pay or suffer». And the companies provide nothing new
as a «cure» either (which haven't been there for decades).

More over, I wonder, what is the difference between the «ransomware»
business model and so called «planned obsolescence» business model,
which, I guess, has become worldwide industrial standard nowaday? And in
what way should differ protective measures for both of them? I mean,
from the end users point of view, there is no much difference if their
data have been stolen/encrypted by one crook or if their data have been
lost because of «sudden» HDD fail planned in advance by another crook.
Except, may be, the fact that in the first case you still have a tiny
chance to get your precious data back (may be, which I doubt).

The WP article seems like a spin. It gives us a spooky filling of great
imminent danger radiating from the Linux, but in the same time it is
surprisingly shallow and inconcrete. Though it uses security thing as a
pretext, I guess, it's not about security.

Of course, I don't think the subject of Linux security does not deserve
attention or discussion. But what the point in such articles as the WP
example, except from not so subtly playing with mass opinion with pretty
obvious commercial intention?


Regards,
Piyavkin

Reply | Threaded
Open this post in threaded view
|

Re: Ransomware meets Linux - on the command line!

Gene Heskett-4
On Friday 13 November 2015 14:19:00 Piyavkin wrote:

> On 12.11.2015 21:14, Ralph Katz wrote:
> > On 11/11/2015 10:24 PM, Cindy-Sue Causey wrote:
> >
> > [...]
> >
> >> Brian Krebs of Krebs On Security had
> >> something on ransomware and Linux, just not labeled Ransm-C or
> >> anything:
> >>
> >> http://krebsonsecurity.com/2015/11/ransomware-now-gunning-for-your-
> >>web-sites/
> >>
> >> IF I'm understanding correctly, he appears to have updated that
> >> article with a *potential* way to beat it via a *potential*
> >> vulnerability.... at least until the perpetrators upgrade their own
> >> tactics, anyway.
> >>
> >> I like what Brian's been doing. I can cognitively understand a LOT
> >> of what he writes about. He's caught SlashDot's eye a time or two,
> >> too.
> >>
> >> Adding another keyword here, Linux.Decoder.1, which Brian says was
> >> a name dubbed by "Russian antivirus and security firm Dr.Web". It
> >> may or may not be the same as the other, but sounds like it works
> >> similar'ISH.
> >>
> >> Next stop is to pop over to a group called BlindWebbers. I'd seen
> >> Brian's email subject line earlier and thought instantly of them,
> >> just didn't get around to opening it then. The guy in Brian's
> >> article makes it sound like it's a little time consuming and still
> >> has incidental glitches afterwards.
> >>
> >> That's presumably coming from someone with no visual disabilities.
> >> The difficulty level of getting one's website back would
> >> understandably rise relative to one's ability or lack thereof to
> >> actually see what's going on within the file hierarchy..... AND
> >> apparently each single file that reportedly stands to potentially
> >> gather random bits AFTER the files have been decrypted.
> >
> > As a user, I too, find Krebs informative.  Also notable was this
> > recent Washington Post article about Linus Torvalds and Linux
> > security:
> >
> > http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecuri
> >ty-the-kernel-of-the-argument/
> >
> > "Fast, flexible and free, Linux is taking over the online world. But
> > there is growing unease about security weaknesses."
> >
> > Regards,
> > Ralph
>
> The ransomware articles from the security companies are pure marketing
> efforts to develop customer's «pain» and to exploit it. There is
> nothing new in the scheme «pay or suffer». And the companies provide
> nothing new as a «cure» either (which haven't been there for decades).
>
> More over, I wonder, what is the difference between the «ransomware»
> business model and so called «planned obsolescence» business model,
> which, I guess, has become worldwide industrial standard nowaday? And
> in what way should differ protective measures for both of them? I
> mean, from the end users point of view, there is no much difference if
> their data have been stolen/encrypted by one crook or if their data
> have been lost because of «sudden» HDD fail planned in advance by
> another crook. Except, may be, the fact that in the first case you
> still have a tiny chance to get your precious data back (may be, which
> I doubt).
>
> The WP article seems like a spin. It gives us a spooky filling of
> great imminent danger radiating from the Linux, but in the same time
> it is surprisingly shallow and inconcrete. Though it uses security
> thing as a pretext, I guess, it's not about security.
>
> Of course, I don't think the subject of Linux security does not
> deserve attention or discussion. But what the point in such articles
> as the WP example, except from not so subtly playing with mass opinion
> with pretty obvious commercial intention?
>
Shallow?  Devoid of facts was my impression.
>
> Regards,
> Piyavkin


Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

Reply | Threaded
Open this post in threaded view
|

Re: Ransomware meets Linux - on the command line!

Piyavkin
On 13.11.2015 23:35, Gene Heskett wrote:

> On Friday 13 November 2015 14:19:00 Piyavkin wrote:
>
>> On 12.11.2015 21:14, Ralph Katz wrote:
>>> On 11/11/2015 10:24 PM, Cindy-Sue Causey wrote:
>>>
>>> [...]
>>>
>>>> Brian Krebs of Krebs On Security had
>>>> something on ransomware and Linux, just not labeled Ransm-C or
>>>> anything:
>>>>
>>>> http://krebsonsecurity.com/2015/11/ransomware-now-gunning-for-your-
>>>> web-sites/
>>>>
>>>> IF I'm understanding correctly, he appears to have updated that
>>>> article with a *potential* way to beat it via a *potential*
>>>> vulnerability.... at least until the perpetrators upgrade their own
>>>> tactics, anyway.
>>>>
>>>> I like what Brian's been doing. I can cognitively understand a LOT
>>>> of what he writes about. He's caught SlashDot's eye a time or two,
>>>> too.
>>>>
>>>> Adding another keyword here, Linux.Decoder.1, which Brian says was
>>>> a name dubbed by "Russian antivirus and security firm Dr.Web". It
>>>> may or may not be the same as the other, but sounds like it works
>>>> similar'ISH.
>>>>
>>>> Next stop is to pop over to a group called BlindWebbers. I'd seen
>>>> Brian's email subject line earlier and thought instantly of them,
>>>> just didn't get around to opening it then. The guy in Brian's
>>>> article makes it sound like it's a little time consuming and still
>>>> has incidental glitches afterwards.
>>>>
>>>> That's presumably coming from someone with no visual disabilities.
>>>> The difficulty level of getting one's website back would
>>>> understandably rise relative to one's ability or lack thereof to
>>>> actually see what's going on within the file hierarchy..... AND
>>>> apparently each single file that reportedly stands to potentially
>>>> gather random bits AFTER the files have been decrypted.
>>> As a user, I too, find Krebs informative.  Also notable was this
>>> recent Washington Post article about Linus Torvalds and Linux
>>> security:
>>>
>>> http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecuri
>>> ty-the-kernel-of-the-argument/
>>>
>>> "Fast, flexible and free, Linux is taking over the online world. But
>>> there is growing unease about security weaknesses."
>>>
>>> Regards,
>>> Ralph
>> The ransomware articles from the security companies are pure marketing
>> efforts to develop customer's «pain» and to exploit it. There is
>> nothing new in the scheme «pay or suffer». And the companies provide
>> nothing new as a «cure» either (which haven't been there for decades).
>>
>> More over, I wonder, what is the difference between the «ransomware»
>> business model and so called «planned obsolescence» business model,
>> which, I guess, has become worldwide industrial standard nowaday? And
>> in what way should differ protective measures for both of them? I
>> mean, from the end users point of view, there is no much difference if
>> their data have been stolen/encrypted by one crook or if their data
>> have been lost because of «sudden» HDD fail planned in advance by
>> another crook. Except, may be, the fact that in the first case you
>> still have a tiny chance to get your precious data back (may be, which
>> I doubt).
>>
>> The WP article seems like a spin. It gives us a spooky filling of
>> great imminent danger radiating from the Linux, but in the same time
>> it is surprisingly shallow and inconcrete. Though it uses security
>> thing as a pretext, I guess, it's not about security.
>>
>> Of course, I don't think the subject of Linux security does not
>> deserve attention or discussion. But what the point in such articles
>> as the WP example, except from not so subtly playing with mass opinion
>> with pretty obvious commercial intention?
>>
> Shallow?  Devoid of facts was my impression.

Yeah, may be it's better to name it in that way.

It seems that author don't care much about facts or even about
explaining any opinions (what exactly were arguments of Spengler or
Cook, by the way, and what exactly are the mentioned 6 and 12 points
from them?). What he really seems be interested in is just constructed
emotional impression (whom we should admire, whom we should condemn, and
what we should believe in result), cooked with common journalist devices
and a good chunk of ideological attitude instillation. It stinks for a mile.

Regards,
Piyavkin


Reply | Threaded
Open this post in threaded view
|

Re: Ransomware meets Linux - on the command line!

Himanshu Shekhar-3
I do agree with Piyavkin.
AFAIT these are perhaps marketing efforts by corporations exploiting "customer fear" and implementing their policy of "buy or suffer".
All about Linux, a user should see the message carefully and analyse before executing a program with root privileges. That's why "sudo" and "su" like commands were made, and that's why we need "passwords" for many stuffs in Linux, unlike other ecosystems.

It's natural to be concerned. However, we should be rather be cautious before giving our root password to execute any program.
If any cure of the "ransomware" arrives, that would be first from the side of the "development team" as "security updates" rather than "corporations". 

Regards
Himanshu Shekhar